... and now we can SPL "(?<foo>s[hi]{2}t)" Mary - - PowerPoint PPT Presentation

... and now we can SPL "(?<foo>s[hi]{2}t)"

Mary Cordova @cyphoid_mary ShellCon 2020

Something(s) about Mary

• Splunk Trust Member, Splunk Certified Architect
• SIEM 2013-16

@ <insert biggest gaming company you can think of here>

• SOAR 2016-18

@ <insert Hollywood agency for your favorite A-lister here>

• IR 2019-present

@ <insert your 2nd favorite (or maybe 3rd) comic book movie studio here>

• Creds

SANS GIAC6, CCNA, SSCP, ISC2 Exam Developer

• Education

B.S. Computer Information Systems

• Groups

WSC, DC310, ISSA, …

2

Agenda

• What is a SIEM?
• Why/how is it used?
• How can you get started?
• Process
• Common problems
• Extra Resources
• Assumptions
• you probably already have some familiarity w/ Security,

SIEM, SOC, IR, data, Splunk

3

a SIEM has(logs): a SIEM does:

4

Splunk Enterprise Security SIEM

5

Custom Incident Response Dashboard

6

Splunk training

• free courses offered by Splunk
• fundamentals 1 if you’re mostly a

user/searcher/data person

7

Should you put your data in Splunk?

• Is it machine data with events of interest

during an incident?

• Are there events that should be

monitored because they indicate something bad could be happening?

• Does your data provide context that

could be useful in an investigation?

• You have your data in Splunk...now

what?!

Process

• Find your data
• Clean/normalize your data
• Save “base” searches
• Develop analytics, reports,

dashboards, alerts

8

Finding your data index=?? sourcetype=??

• Choose something unique from your data

source that you can search for in Splunk

• Something you can generate OR

something that you know (not think) already

• ccurred
• We will keyword search for the generated

locating data “pretty please”

• index=* sourcetype=* keyword
• alternatively, if you know something of the architecture

| tstats count WHERE index=* by index sourcetype

• Found your data?
• Immediately stop using index=* sourcetype=*
• After we have located our data we can:
• Clean our data ↗↘
• Build a base search ↖↙
• Develop analytics ↙
• Getting a good base search can take time,

frequently a full days’ worth of work at least and often more

9

Building your SPL*

*Search Processing Language

• Don’t start with fancy SPL
• Don’t restrict your search with fields

at first

• Don’t run it over a large time range
• Start with “Verbose Mode”
• Incrementally define your search
• Start with “keyword” searches then

build faster indexed “field” searches

• As you narrow the scope of the data

you can expand your time window

• “ctrl+\” for nice formatting

10

Cleaning/normalizing your data

• Iterate removing noise from the data

using “| fields - field field field…”

• Normalize remaining fields (and values where

appropriate) with CIM (Common Information Model)

• src_ip=#.#.#.#
• “source_ip” or “source_address” or “src_address”

etc

• src_mac=aa:bb:cc:00:11:22
• not “AA-BB-CC-00-11-22” or “aabbcc001122” etc
• You should end up with a nice list of

normalized 10-20 fields with the most important values in your data

• This is a good base search that can be

used over and over for various analytics

11

Gotchas

12

• Starting small with a keyword

makes the job manageable but is not comprehensive enough to make assumptions about the broader data set

• initially we get ~25 good fields

for further normalization

• We removed ~60 fields full of

noise

• Removing our keyword to get a

sample of all data within our time range is an ugly surprise O_o

The Admin Guide for your data source can help you identify fields to group different types of events so that you can work on smaller logically similar sets of data one at a time You need several samples of each type of event so that you no only have representation of the different types but the different data values that can be found in each of those types

If you’re cleaning, don’t worry about your SPL’ing

• Whoa…that search looks

terrible!!!

• Too many |fields and too many

|table commands!!!

• Don’t worry about that right now,

you’re just cleaning up and

• rganizing our data, you’ll clean up

and organize your SPL next ↙ ↙ ↙

13

Base search - one more time for the crowd in the back

• Do build your SPL up line by line
• Keywords become field=value pairs
• Less keyword and more field=value

means you can search larger time ranges

• Add normalization to well scoped

base searches

• Save base searches for all your data

sets

• Use base searches to build analytics
• Run finalized analytics in “Fast Mode”

14

• Don’t start with fancy SPL
• Don’t restrict your search with fields at

first

• Don’t run it over a large time range
• Start with “Verbose Mode”
• Incrementally define your search
• Start with “keyword” searches then

build indexed “field” searches

• As you narrow the scope of the data

you can expand your time window

• “ctrl+\” for nice formatting

Common problems

• hey Mary, my search isn’t

working!

• duplicate tab
• delete all your lines
• add lines ONE by ONE, run your

search

• inspect the output of the fields

that aren’t doing what you want

15

• hey Mary, how do I know which

fields to use?

• go back to slide 9-13
• build slide 6 unless you like doing

the same thing over and over

Thanks!!!

• This wasn’t really finished, hope it went ok!
• If you’re weak on regular expressions pick up

“Sams Teach Yourself Regular Expressions in 10 Minutes”

• you can get by with only reading like half the book and using the

quick guide in the back :D

16